Watchlist
An Azure Sentinel watchlist contains imported data that can be used to join or filter as an alert/incident condition.
Categories
- Security
Solutions
- Microsoft Sentinel
Columns
| Column | Type | Description |
|---|---|---|
| AzureTenantId | string | The AAD TenantID to which this watchlist table belongs |
| CorrelationId | string | The ID for correlated events. |
| CreatedBy | dynamic | JSON object with the user who created the watchlist or watchlist item, including: ObjectID, email and name |
| CreatedTimeUTC | datetime | The time (UTC) when the watchlist or watchlist item was first created |
| DefaultDuration | string | JSON object describing he default duration to live that each item of a watchlist should inherit on creation |
| _DTItemId | string | The watchlist or watchlist-item unique Id. As an example, a watchlist 'RiskyUsers' can contain watchlist-item 'Name:John Doe; email:johndoe@contoso.com'. A watchlist-item has its unique Id and will belong to a watchlist. The containing watchlist can identified using the 'WatchlistId' |
| _DTItemStatus | string | Was the watchlist or watchlist item created, updated or deleted by user. As an example, a watchlist 'RiskyUsers' can contain watchlist-item 'Name:John Doe; email:johndoe@contoso.com'. If a watchlist is added, the the status would be 'Created'. If the name of the watchlist is updated from 'RiskyUsers' to 'RiskyEmployees' the status would be 'Updated' |
| _DTItemType | string | Distinguish between a watchlist and a watchlist-item. As an example, a watchlist 'RiskyUsers' can contain watchlist-item 'Name:John Doe; email:johndoe@contoso.com'. A watchlist-item type will belong to a watchlist type and the containing watchlist can identified using the 'WatchlistId' |
| _DTTimestamp | datetime | The time (UTC) when the event was generated |
| EntityMapping | dynamic | JSON object with Azure Sentinel entity mapping to input columns |
| LastUpdatedTimeUTC | datetime | The time (UTC) when watchlist or watchlist item was last updated |
| Notes | string | Notes provided by user |
| Provider | string | Input provider of the watchlist. |
| SearchKey | string | The SearchKey is used to optimize query performance when using watchlists for joins with other data. For example, enable a column with IP addresses to be the designated SearchKey field, then use this field to join in other event tables by IP address. |
| Source | string | Input source of the watchlist. |
| SourceSystem | string | |
| Tags | string | JSON array of tags provided by user |
| TenantId | string | |
| TimeGenerated | datetime | The timestamp (UTC) of when the event was generated. |
| TimeToLive | datetime | When a row is inserted into a watchlist, a TimeToLive value is added to that row based on the watchlist’s default duration value. When the row's specified TimeToLive timestamp passes, the system will ignore the row and consider the row deleted. A row's duration can be extended at any time by refreshing the row's TimeToLive. |
| Type | string | The name of the table |
| UpdatedBy | dynamic | JSON object with the user who last updated the watchlist or watchlist item, including: ObjectID, email and name |
| WatchlistAlias | string | Unique string referring to the watchlist |
| WatchlistId | string | The watchlist ARM resource name |
| WatchlistItem | dynamic | JSON object with key-value pairs from the input watchlist source |
| WatchlistItemId | string | The watchlist item unique Id |
| WatchlistName | string | Display name of Watchlist |